U.K.: Google Breached Data Laws

By

Paul Sonne

Updated Nov. 4, 2010 12:01 a.m. ET

LONDON—U.K. authorities on Wednesday said Google Inc. broke the law by collecting data from personal wireless networks, reversing preliminary findings that had effectively given the U.S. company a pass.

Google in May disclosed that the camera-equipped cars it uses to take pictures for its Street View mapping service for years inadvertently collected personal data from unsecured wireless networks across the world, setting off a storm of criticism.

ENLARGE

Cars with special cameras used to photograph whole streets seen on the Google Street View stand at the world's biggest high-tech fair, CeBIT in Hanover, Germany, earlier this year..

U.K. Information Commissioner Christopher Graham said Google's actions constituted a "significant breach" of a data-protection law, adding that his office would ask the company to sign a binding commitment to prevent future breaches and agree to an audit of its data-protection practices in the U.K. Mr. Graham said his office doesn't plan to impose a fine.

The move came a week after the U.S. Federal Trade Commission said it had ended its investigation into the matter, saying Google had taken sufficient steps to ensure such an incident wouldn't reoccur. France, Germany and other countries continue to investigate Google's data grab, as are a group of U.S. state attorneys general.

Google initially said the data collected was fragmentary—and therefore not personal or sensitive. But Canadian regulators last month said that their investigation found that Google had captured highly sensitive information, including complete emails, user names, passwords and other sensitive data.

Google confirmed the Canadian regulator's findings, setting off a new round of investigations around the globe. In the U.K., the Information Commissioner's Office had essentially exonerated the company in a preliminary investigation in May, concluding that Google hadn't collected meaningful personal data so hadn't broken the law.

Now, the office has done an about-face after meetings in the past two weeks with Canadian authorities and other international regulators, according to a spokesman for the commissioner.

"In the light of the emerging findings from these detailed investigations, the admission by Google that personal data had indeed been collected and the fact that Google used the same technology in the U.K., the commissioner has decided that formal action is necessary," the spokesman said.

In his statement on Wednesday, Mr. Graham said the ICO is ready to take further regulatory action if Google doesn't comply with the terms of the legally binding commitment, which he has sent to the company. Google has yet to sign off.

The terms of the agreement include demands for Google to enhance its employee-training programs on privacy and security and institute a policy that requires Google engineers to maintain a "privacy design document" on projects. They also include a call for Google to commit to a consensual audit in the U.K. within nine months and delete the data collected once legally permitted.

Peter Fleischer, Google's global privacy counsel, said in a written statement that Google was sorry for collecting the data and noted that the company had had cooperated with the U.K.'s data regulator since announcing the mistake in May.

"As we have said before, we did not want this data, have never used any of it in our products or services, and have sought to delete it as quickly as possible," Mr. Fleischer said. "We are in the process of confirming that there are no outstanding legal obligations upon us to retain the data, and will then ensure that it is quickly and safely deleted."

Some have called U.K.'s response to the Google incident toothless, particularly when compared with that of other European countries. In a debate in the British Parliament last week, Conservative lawmaker Robert Halfon called the U.K. regulator's response "lamentable," and cited The Wall Street Journal's ongoing "What They Know" investigation into online privacy as evidence of the need to take a more watchful, and active, approach.

Simon Davies, head of advocacy group Privacy International, said Wednesday that the U.K. regulator simply followed the lead of other international regulators, instead of conducting an aggressive and professional investigation of its own. He called the response by the Information Commissioner's Office a "travesty," and said the regulator failed to "fulfill any level of commitment to finding the truth."

"We don't believe the proposed course of action is in any way meaningful," Mr. Davies said. He called the action "too little too late."

France's data-protection authority is weighing whether to punish Google and was expected to announce a verdict at year-end, according to Yann Padova, the organization's secretary general. Google could face a fine of up to €150,000, or about $210,000, in France, and a separate criminal enquiry could be opened depending on the findings. Germany, where the state protects privacy fiercely and continues to investigate, is expected to take a hard line.

This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.